Analysis Overview
SHA256
6633f19132821190e3fa92befd285f74556e9f8b1f29dc52baeed496a2049835
Threat Level: Known bad
The file 6633f19132821190e3fa92befd285f74556e9f8b1f29dc52baeed496a2049835.zip was found to be: Known bad.
Malicious Activity Summary
Agenttesla family
AgentTesla
AgentTesla payload
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Checks computer location settings
Reads user/profile data of local email clients
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 10:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 10:40
Reported
2024-11-12 10:43
Platform
win7-20240903-en
Max time kernel
136s
Max time network
123s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1820 set thread context of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\neHneiobyhcrJJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4FC5.tmp"
C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"
Network
Files
memory/1820-0-0x00000000747DE000-0x00000000747DF000-memory.dmp
memory/1820-1-0x0000000000C40000-0x0000000000D2E000-memory.dmp
memory/1820-2-0x0000000000370000-0x000000000037A000-memory.dmp
memory/1820-3-0x00000000747D0000-0x0000000074EBE000-memory.dmp
memory/1820-4-0x00000000747DE000-0x00000000747DF000-memory.dmp
memory/1820-5-0x00000000747D0000-0x0000000074EBE000-memory.dmp
memory/1820-6-0x0000000005260000-0x00000000052D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4FC5.tmp
| MD5 | b6066ad35d085560b49adc64120cfa0a |
| SHA1 | 2149b223a5b6f304144fd9335b3e4abd58d3e4b0 |
| SHA256 | a3472e1ca85b9159a512f16b64368d83303e6ceaa96dcd5f839556568a34bb44 |
| SHA512 | 15822ce540f77cd4ec0bca2343ffee9523d1003fc40a6ac0600f8b884b76336d0e31b8a4b860cac51cd87718ff02baea87f1b3003b4b26e227a04393a5a3f5fd |
memory/2804-12-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2804-20-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1820-26-0x00000000747D0000-0x0000000074EBE000-memory.dmp
memory/2804-25-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2804-28-0x00000000747D0000-0x0000000074EBE000-memory.dmp
memory/2804-27-0x00000000747D0000-0x0000000074EBE000-memory.dmp
memory/2804-22-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2804-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2804-17-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2804-16-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2804-14-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2804-29-0x00000000747D0000-0x0000000074EBE000-memory.dmp
memory/2804-30-0x00000000747D0000-0x0000000074EBE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 10:40
Reported
2024-11-12 10:43
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3372 set thread context of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\neHneiobyhcrJJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A04.tmp"
C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3372-0-0x000000007506E000-0x000000007506F000-memory.dmp
memory/3372-1-0x0000000000180000-0x000000000026E000-memory.dmp
memory/3372-2-0x0000000004C70000-0x0000000004D0C000-memory.dmp
memory/3372-3-0x00000000052C0000-0x0000000005864000-memory.dmp
memory/3372-4-0x0000000004D10000-0x0000000004DA2000-memory.dmp
memory/3372-5-0x0000000004C60000-0x0000000004C6A000-memory.dmp
memory/3372-6-0x0000000004E10000-0x0000000004E66000-memory.dmp
memory/3372-7-0x0000000075060000-0x0000000075810000-memory.dmp
memory/3372-8-0x0000000004DF0000-0x0000000004DFA000-memory.dmp
memory/3372-9-0x000000007506E000-0x000000007506F000-memory.dmp
memory/3372-10-0x0000000075060000-0x0000000075810000-memory.dmp
memory/3372-11-0x0000000005C50000-0x0000000005CC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4A04.tmp
| MD5 | d855424334a00856c942017f5f2aa68a |
| SHA1 | a77750f366042a168eb422b1e0c912db0049c496 |
| SHA256 | cad8d474fd5938bac68c6964d7286b99ad931c86b2be56d81a5d9afdde14bd28 |
| SHA512 | 7bd51742af5638b1788aee063cd5d4be3214c0afa7614375bc16b5565fc55fed46ed3f3e6d26a0c3b20c22d8f8c2d37c0cd2113cbb874cc482bc911cc455a150 |
memory/2368-17-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe.log
| MD5 | 17573558c4e714f606f997e5157afaac |
| SHA1 | 13e16e9415ceef429aaf124139671ebeca09ed23 |
| SHA256 | c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553 |
| SHA512 | f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc |
memory/2368-20-0x0000000075060000-0x0000000075810000-memory.dmp
memory/3372-21-0x0000000075060000-0x0000000075810000-memory.dmp
memory/2368-22-0x0000000075060000-0x0000000075810000-memory.dmp
memory/2368-23-0x0000000005820000-0x0000000005838000-memory.dmp
memory/2368-24-0x0000000006500000-0x0000000006566000-memory.dmp
memory/2368-25-0x0000000075060000-0x0000000075810000-memory.dmp
memory/2368-26-0x0000000075060000-0x0000000075810000-memory.dmp
memory/2368-27-0x00000000066E0000-0x0000000006730000-memory.dmp
memory/2368-28-0x0000000075060000-0x0000000075810000-memory.dmp